sign in sign up

<<

Giving Mobile Security the Boot

Giving Mobile Security the Boot

Giving Mobile Security the Boot

Jonathan Levin http://Technologeeks.com

(C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! Plan

• Android Boot Chain • iOS Boot Chain • TrustZone • iOS & TrustZone • Android & TrustZone

(C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! morpheus@Zepyhr$ whoami (一点儿宣传 ☺) • 深入解析 Android • Available (in Chinese!) End of 2016 – Including N • http://NewAndroidBook.com/ Volume I (available) Volume II (soo-N) morpheus@Zepyhr$ whoami (一点儿宣传 ☺)

• 深入解析Mac OS X & iOS 操作系统 • http://NewOSXBook.com/

• Plenty of useful reversing tools – jtool – procexp – filemon

• But book terribly outdated! Boot Chains of Trust

(C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! Boot Chains of Trust The Android Boot Sequence

• Exact flow varies with vendor, but can be generalized

• Components (except ROM) easily extracted from OTA

Kernel BootROM SBL ABoot + initrd

(C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! Android Boot: The BootROM

• Very specific per chipset manufacturer

• Not much is known about ROMs

• But not really relevant for our discussion, either

• Contain a hard coded public key( 公钥) of manufacturer

Kernel BootROM SBL ABoot + initrd

(C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! Boot Chains of Trust Android Boot: SBL

• Vendor specific, but usually same operation: – Initialize subsystems (baseband, DSP, GPU, TZ) – Locate Android Boot

• Signed with private key( 与私钥) of manufacturer – Signature is first link in chain of trust – May contain another public key of manufacturer or same.

Kernel BootROM SBL ABoot + initrd

(C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! Boot Chains of Trust Android Boot: ABoot

• Commonly* based off of open source Little Kernel – May be customized by vendor

• Supports FASTboot or other (e.g. ODIN) for flashing

• May or may not be unlockable ( 解鎖) – If unlocked: • Effaces data (to ensure user data won’t be compromised) • Breaks chain of trust (any kernel can be loaded) • Usually blows a Qfuse to indicate void warranty

Kernel BootROM SBL ABoot + initrd

* - Samsung, others have custom loaders (C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! Boot Chains of Trust Android Boot: Kernel + initrd

• Kernel is same ol’ Linux, but compiled for ARMv7/v8 • InitRD ( 初始 RAM 磁盘) contains root (/) file system – /init daemon and other vital daemons – /init.rc configuration files – SEPolicy (SELinux 的策略) which is enforced on device

• Crucial components for security so bundled together – Kernel + initrd is in one partition – Aboot verifies hash of partition before loading (if locked)

Kernel BootROM SBL ABoot + initrd

(C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! Boot Chains of Trust Android Boot: DM-Verity

• Extends boot-chain by taking hash of /system – /system is read-only, so in theory should not be modified

• /system mounted through device mapper, as dm# device • All I/O flows through device mapper, verifies hashes – Incorrect hash causes I/O error

• In practice nice idea, but utterly useless ( 不中用) – System-less root methods root but leave /system untouched.

Kernel BootROM SBL ABoot /system + initrd

(C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! The iOS Boot Sequence iOS Boot Sequence

• All boot components are encrypted – 32-bit: IMG3 64-bit: IMG4 (DER)

• All boot components are validated – Slightest error sends device to recovery (and forced upgrade!)

• 64-bit boot sequence still not broken*

• 64-bit systems bolstered with Kernel Patch Protection (9.0) – Feeble (but valiant) attempt to prevent runtime kernel patches

BootROM LLB iBoot Kernel

* - no public ROM/iLLB/iBoot exploit presently known (C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! The iOS Boot Sequence iOS Boot: The BootROM

• Read only memory component, “Apple SecureROM” – Contains harded coded public key of Apple

• Wasn’t that secure in A4 devices (<= iPhone 4) – Limera1n allows bypass and full ROM dump

• Considerably better in A5 and later devices (>=4S)

• Virtually unknown in A7 and later devices (5S+, 64-bit) – Theoretically dumpable via JTAG

BootROM LLB iBoot Kernel

(C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! The iOS Boot Sequence iOS Boot: iLLB

• Low Level Bootloader • Functions as stage 1 bootloader • Provides basic USB functionality (e.g. DFU) • Loads iBoot

BootROM LLB iBoot Kernel

(C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! The iOS Boot Sequence iOS Boot: iBoot

• Main component of boot process • Initializes all sub components • Spawns several threads (poweroff, idle, USB, ...) • Provides full USB functionality, HFS+, and more • 64-bit version also communicates with SEP • Locates and loads kernelcache, but refuses arguments • Logs to serial console, then turns it off • Turns GID access off • Validates SHSH (< iOS5) or APTicket (>=iOS5)

BootROM LLB iBoot Kernel

(C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! The iOS Boot Sequence iOS Boot: KernelCache

• /System/Library/Caches/com.apple.kernelcaches/

• Prelinks all kernel extensions ( 内核,包括所有的扩展)

• Kernel extension loading otherwise disabled

• Benefits: – Speed (prelinking) – Security (kernel + kexts authenticated, no other kexts allowed)

BootROM LLB iBoot Kernel

(C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! Validating components: SHSH

• User updates/restores device • iBoot gets image (IPSW), parses it, generates request

Key Value ApBoardID From IPSW ApChipID From Device ApECID Exclusive Chip ID ApProductionMode true (unfortunately) ApSecurityDomain From IPSW UDID Unique Device Identifier HostPlatformInfo iTuneshost OS identifier Locality en_US,zh_CN, etc.. VersionInfo libauthinstall-a.b.c.d.e • iTunes POSTs to http://www.gs.apple.com • Apple signs with their private key. • iBoot stores in NAND firmware partition SCAB container https://www.theiphonewiki.com/wiki/SHSH_Protocol Validating components: SHSH

• Serious vulnerability: Replay – Protocol is plaintext, so easy to capture blobs – Store safely for a rainy day – When you want to bypass, fake gs.apple.com (e.g. /etc/hosts)

• Widely used before iOS 5 for downgrades ( 降級) – iFaith – Saurik’s cydia server (built-in functionality) – TinyUmbrella (TSS Server)

(C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! Validating components: APTicket

• Same as SHSH, but image now contains ApNonce

Key Value ApBoardID From IPSW ApChipID From Device ApECID Exclusive Chip ID ApNonce Random From iBoot(!) 隨機產生 ApProductionMode true (unfortunately) ApSecurityDomain From IPSW ApTicket true UDID Unique Device Identifier HostPlatformInfo iTuneshost OS identifier Locality en_US,zh_CN, etc.. VersionInfo libauthinstall-a.b.c.d.e • iBoot stores in firmware partition and /System/Library/Caches – Nonce prevents replay unless iBoot can be pwned (e.g. Odysseus)

(C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! iOS 10b1: Think different

• For the first time, kernelcache is not encrypted • Provides a first look at “missing pieces” – Jettisoned segments (e.g. KLD, __PRELINK_INFO) – KPP: Kernel Patch Protection

(C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! iOS 10b1: Think different

• Mistake? Intentional? Only Cupertino knows... But I say: 废话...

* Edit – Apple apparently took this seriously and did open the 32-bit chain (but NOT 64) in 10b2. (C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! TrustZone & ELx

(C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! TrustZone 技

• Hardware support for a trusted execution environment

• Provides a separate “secure world” 安全世界 – Self-contained operating system – Isolated from “non-secure world”

• In AArch64, integrates well with Exception Levels (例外層級) – EL3 only exists in the secure world – EL2 (hypervisor) not applicable in secure world.

(C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! Trust Zone Architecture (Aarch32) 非安全世界安全世界

Source: ARM documentation

(C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! Android uses of TrustZone

• Cryptographic hardware backing (keystore, gatekeeper) – Key generation, storage and validation are all in secure world – Public keys accessible in non-secure world

• DRM ( 数字版权管理) - special case crypto hardware backing)

• Hardware backed entropy – PRNG ( 随机数发生器) code

• 安全 NFC 通信通道 (Android Pay)

• Kernel and boot chain integrity

(C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! Samsung uses of TrustZone

• TrustZone is a fundamental substrate for KNOX

– Trusted Integrity Measurement Attestation (TIMA) provides

• Client Certificate Management (CCM) – Extends keystore by hardware backing

• Periodic Kernel Measurement (PKM ) 周期内核测量 – Similar to iOS’s KPP – periodically checks kernel page hashes » 会定期检查内核校验和

• Realtime Kernel Protection (RKP) 实时内核保护 – Intercepts events from kernel using traps to secure monitor (SMC) – 捕获任何恶意活动

(C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! iOS Uses of TrustZone

• 32-bit: Apparently, none(?) – No SMC instructions in decrypted kernelcache

• 64-bit: KPP – Long thought (mistakenly) to have been in Secure Enclave – iLLB/iBoot also physically separated from kernel memory

(C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! Implementation (AArch32)

安全配置寄存器 • Implemented by a Secure Configuration Register (SCR)

• NS = 0: 系统处于安全状态. NS =1 系统处于非安全状态

• SCR is co-processor CP15,c1 • Cannot be accessed in non-secure world: – Need SMC 特殊指令

• MMU enforces memory separation between worlds – http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0301h/Chdfjdgi.html

• Interrupts (IRQ/FIQ) can be handled by secure world

(C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! Entering TrustZone (AArch32)

• SMC to TrustZone is like SVC/SWI to supervisor mode SMC 是一个特殊指令，类似于软件中断指令（SWI ）

• Control transferred to a “monitor vector” in secure world

SMC SMC 指令

Prefetch Abort Data Abort 中止

IRQ 中断 0x1C FIQ 快速中断 monitor 的异常向量表 Voluntary Transition: SMC

• SMC特殊指令 only valid while in supervisor mode – (i.e. requires the OS to be in kernel ( 内核) mode)

D 4 0 ...... 3

(C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! Exception Handling (AArch64)

Trusted Trusted EL0 App 0,0 ...... App 0,n App 1,0 ...... App 1,n App App

SVC

OS Kernel ( 内核) OS Kernel ( 内核) Secure Kernel ( 内核) EL1 0 1 Exceptions

SMC HVC

管理程序 EL2 Hypervisor ( )

SMC

我不知道怎么 EL3 Secure Monitor ( 说 )

架構定義了四個例外層級

(特权模型分离技术) (C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! Setting up Trustzone

• 32-bit: – CPU boots into secure world (NS=0) – Loader/kernel sets up monitor vector (SMC, IRQ or FIQ entries) – Sets up SCR NS=1 and “drops” to Normal World

• 64-bit: 异常向量表基地址寄存器指定 – CPU boots into EL3 – Secure Monitor sets up VBAR_Elx (SError, IRQ or FIQ entries) – Drops to EL2 (Hypervisor, 管理程序) or EL1 (kernel, 内核)

(C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! AArch64 Exception Handling

0x000 Synchronous

IRQ/vIRQ

Currrent EL, SP0 FIQ/vFIQ

SError/vSError

0x200 Synchronous

IRQ/vIRQ Currrent EL, SPSel FIQ/vFIQ SError/vSError Synchronous 0x400 Synchronous IRQ/vIRQ IRQ/vIRQ Lower EL, AArch64 FIQ/vFIQ SError/vSError FIQ/vFIQ 0x600 Synchronous IRQ/vIRQ SError/vSError Lower EL, AArch32 FIQ/vFIQ

SError/vSError

(C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! Case Study: KPP

0x000 Synchronous

IRQ/vIRQ

Currrent EL, SP0 FIQ/vFIQ

SError/vSError

0x200 Synchronous

IRQ/vIRQ Currrent EL, SPSel FIQ/vFIQ

SError/vSError

0x400 Synchronous

IRQ/vIRQ Lower EL, AArch64 FIQ/vFIQ

SError/vSError

0x600 Synchronous IRQ/vIRQ Lower EL, AArch32 FIQ/vFIQ

SError/vSError

(C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! Case Study: KPP

0x000 Synchronous

IRQ/vIRQ

Currrent EL, SP0 FIQ/vFIQ

SError/vSError

0x200 Synchronous

IRQ/vIRQ Currrent EL, SPSel Check TTBR_EL1 access FIQ/vFIQ

SError/vSError

0x400 Synchronous

IRQ/vIRQ Lower EL, AArch64 Check for known SMC codes FIQ/vFIQ

SError/vSError

0x600 Synchronous IRQ/vIRQ Default Lower EL, AArch32 FIQ/vFIQ

SError/vSError

(C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! Case Study: KPP

0x000 Synchronous

IRQ/vIRQ

Currrent EL, SP0 FIQ/vFIQ

SError/vSError

0x200 Synchronous

IRQ/vIRQ Currrent EL, SPSel Check TTBR_EL1 access FIQ/vFIQ

SError/vSError

0x400 Synchronous

IRQ/vIRQ Lower EL, AArch64 Check SMC FIQ/vFIQ

SError/vSError

0x600 Synchronous IRQ/vIRQ Default Lower EL, AArch32 FIQ/vFIQ

SError/vSError

(C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! KPP: Kernel Side morpheus@zephyr (~/.../iOS10)$ jtool –opcodes -d __TEXT_EXEC.__text xnu. 3705 .j 99 a| grep SMC Opened companion File: ./xnu.3705.j99a.ARM64.33A2E481-EF0F-3779-8C96-360114BB824A Loading symbols... Disassembling from file offset 0x78000, Address 0xfffffff00747c000 fffffff007483b0c d4000223 SMC #17 ; # # Add symbol to companion file, for easy reference later: morpheus@zephyr (~/.../iOS10)$ echo 0xfffffff 007483 b0c:_smc >> ./xnu. 3705 .j 99 a.* # # Find All calls to SMC morpheus@zephyr (~/.../iOS10)$ jtool -d __TEXT_EXEC.__text xnu. 3705 .j 99 a| grep -B 4 “ _smc” Opened companion File: ./xnu.3705.j99a.ARM64.33A2E481-EF0F-3779-8C96-360114BB824A Loading symbols... Disassembling from file offset 0x78000, Address 0xfffffff00747c000 fffffff0074c002c MOVZ W0, 0x801 ; ->R0 = 0x801 fffffff0074c0030 MOVZ X1, 0x0 ; ->R1 = 0x0 fffffff0074c0034 MOVZ X2, 0x0 ; ->R2 = 0x0 fffffff0074c0038 MOVZ X3, 0x0 ; ->R3 = 0x0 fffffff0074c003c BL _smc ; 0xfffffff007483b0c ... fffffff00756e780 ADD X1, X9, X11 ; 0xfffffff107488193 fffffff00756e784 ORR W0, WZR, #0x800 ; ->R0 = 0x800 fffffff00756e788 MOVZ X2, 0x0 ; ->R2 = 0x0 fffffff00756e78c MOVZ X3, 0x0 ; ->R3 = 0x0 fffffff00756e790 BL _smc ; 0xfffffff007483b0c

(C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! KPP Checks

On entry: • Iterates over Kernel, all kexts • Checks all __TEXT segments, and __const sections • Takes checksums, kept in EL3 • Checksums verified during checks

(C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! KPP Weakness (patched in 9.2)

• Plenty of pointers in __DATA sections not protected

• Example: AMFI MACF hooks – Pangu 9 patches MACF hooks – Moved in 9.2 to __DATA.__const

• Maybe there’s still more pointers? – Ask organizers of conference ☺

(C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! iOS 10 changes

• XNU Mach-O binary re-segmented – This means that “leaked” KPP no longer works • Checks for hard coded __DATA.__PRELINK_INFO, ... morpheus@zephyr• Decoy? (~/.../iOS10)$ Anotherjtool “mistake”? -d kpp | *shrug* grep \" Opened companion File: ./kpp.ARM64.35324088-001A-383E-976E-C4EBD990F3A8 Loading– symbols... “Real” implementation is very likely now part of iBoot Disassembling from file offset 0x1000, Address 0x4100001000 410000429c ADR X22, #12662 "_PrelinkExecutableLoadAddr" ; R22 = .. 41000042a8 ADR X25, #12635 "__DATA" ; ->R25 = 0x4100007403 41000042c8 ADR X1, #12570 "__TEXT" ; ->R1 = 0x41000073e2 41000042e0 ADR X1, #12564 "__PRELINK_INFO" ; ->R1 = 0x41000073f4 41000044fc ADR X23, #12280 "???.kext" ; ->R23 = 0x41000074f4 410000451c ADR X1, #12140 "_PrelinkExecutableLoadAddr0x%llx_PrelinkKmodInfo" ; ->R1 = 0x4100007488 4100004570 ADR X1, #11976 "_PrelinkBundlePath/System/Library/Extensions/" ; ->R1 = 0x4100007438 4100004588 ADR X0, #11952 "_PrelinkBundlePath/System/Library/Extensions/" ; ->R0 = 0x4100007438 410000459c ADR X1, #11997 ".kext" ; ->R1 = 0x4100007479 4100004638 ADR X25, #11723 "__DATA" ; ->R25 = 0x4100007403 41000046bc ADR X1, #11565 "__firmware" ; ->R1 = 0x41000073e9 41000048d0 ADR X1, #11066 "__const" ; ->R1 = 0x410000740a 41000049ac ADR X1, #10846 "__const" ; ->R1 = 0x410000740a

(C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! iOS 10 changes

morpheus@zeyphr(~/.../iOS10)$ jtool -v -l ~/Documents/iOS/ 9b/kernel.dump. 9.3.0 | grep SEGM LC 00: LC_SEGMENT_64 Mem: 0xffffff8006804000-0xffffff8006cec000 File: 0x0-0x4e8000 r-x/r-x __TEXT LC 01: LC_SEGMENT_64 Mem: 0xffffff8006cec000-0xffffff8006db0000 File: 0x4e8000-0x540000 rw-/rw- __DATA LC 02: LC_SEGMENT_64 Mem: 0xffffff8006db0000-0xffffff8006db4000 File: 0x540000-0x544000 rw-/rw- __KLD LC 03: LC_SEGMENT_64 Mem: 0xffffff8006db4000-0xffffff8006db8000 File: 0x544000-0x548000 rw-/rw- __LAST LC 04: LC_SEGMENT_64 Mem: 0xffffff8006e14000-0xffffff80082a8000 File: 0x5a4000-0x1a38000 rw-/rw- __PRELINK_TEXT LC 05: LC_SEGMENT_64 Mem: 0xffffff8006db8000-0xffffff8006db8000 File: Not Mapped rw-/rw- __PRELINK_STATE LC 06: LC_SEGMENT_64 Mem: 0xffffff80082a8000-0xffffff800834c000 File: 0x1a38000-0x1ad9b18 rw-/rw- __PRELINK_INFO LC 07: LC_SEGMENT_64 Mem: 0xffffff8006db8000-0xffffff8006e113a8 File: 0x548000-0x5a13a8 r--/r-- __LINKEDIT morpheus@Zephyr (~/.../iOS10)$ jtool -v -l xnu. 3705 .j 99 a |grep SEG LC 00: LC_SEGMENT_64 Mem: 0xfffffff007404000-0xfffffff007460000 File: 0x0-0x5c000 r-x/r-x __TEXT LC 01: LC_SEGMENT_64 Mem: 0xfffffff007460000-0xfffffff00747c000 File: 0x5c000-0x78000 rw-/rw- __DATA_CONST LC 02: LC_SEGMENT_64 Mem: 0xfffffff00747c000-0xfffffff0078dc000 File: 0x78000-0x4d8000 r-x/r-x __TEXT_EXEC LC 03: LC_SEGMENT_64 Mem: 0xfffffff0078dc000-0xfffffff0078e0000 File: 0x4d8000-0x4dc000 rw-/rw- __KLD LC 04: LC_SEGMENT_64 Mem: 0xfffffff0078e0000-0xfffffff0078e4000 File: 0x4dc000-0x4e0000 rw-/rw- __LAST LC 05: LC_SEGMENT_64 Mem: 0xfffffff0078e4000-0xfffffff007994000 File: 0x4e0000-0x514000 rw-/rw- __DATA LC 06: LC_SEGMENT_64 Mem: 0xfffffff004004000-0xfffffff005a7c000 File: 0x574000-0x1fec000 rw-/rw- __PRELINK_TEXT LC 07: LC_SEGMENT_64 Mem: 0xfffffff007994000-0xfffffff007994000 File: Not Mapped rw-/rw- __PLK_TEXT_EXEC LC 08: LC_SEGMENT_64 Mem: 0xfffffff007994000-0xfffffff007994000 File: Not Mapped rw-/rw- __PRELINK_DATA LC 09: LC_SEGMENT_64 Mem: 0xfffffff007994000-0xfffffff007994000 File: Not Mapped rw-/rw- __PLK_DATA_CONST LC 10: LC_SEGMENT_64 Mem: 0xfffffff007994000-0xfffffff007994000 File: Not Mapped rw-/rw- __PLK_LINKEDIT LC 11: LC_SEGMENT_64 Mem: 0xfffffff0079f4000-0xfffffff007ab0000 File: 0x1fec000-0x20a5bac rw-/rw- __PRELINK_INFO LC 12: LC_SEGMENT_64 Mem: 0xfffffff007994000-0xfffffff0079f07a0 File: 0x514000-0x5707a0 r--/r-- __LINKEDIT

– Decoy? Another “mistake”? *shrug* – Implementation is very likely now part of iBoot, (EL3 inaccessible)

(C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! Android & TrustZone

• BootROM/SBL loads TZ image of “secure OS” – Usually in a TZ partition on flash – Backup (identical) usually also present

• Trustzone kernel usually an ELF image – Actual implementation is vendor-specific – Examples: Nvidia, Qualcomm

• Linux Kernel communicates with TZ kernel via driver • Driver exports character device to user mode • (Usually) dedicated daemon to communicate with kernel

(C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! Android & TrustZone

keystore

HAL com.android.application

TZ Daemon gatekeeper (e.g. qseecomd) SVC 指令 HAL

Kernel

TZ Driver 3rd Party

Android SMC 指令

Vendor Linux TZ OS

(C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! Android & TrustZone: examples

• NVidia (Nexus 9):

(C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! Android & TrustZone: Samsung

root@s6# ls –l dev/block/platform/ 15570000 .ufs/by -name lrwxrwxrwx root root 2016-05-27 08:53 BOOT -> /dev/block/sda5 lrwxrwxrwx root root 2016-05-27 08:53 BOTA0 -> /dev/block/sda1 lrwxrwxrwx root root 2016-05-27 08:53 BOTA1 -> /dev/block/sda2 lrwxrwxrwx root root 2016-05-27 08:53 CACHE -> /dev/block/sda16 lrwxrwxrwx root root 2016-05-27 08:53 DNT -> /dev/block/sda10 lrwxrwxrwx root root 2016-05-27 08:53 EFS -> /dev/block/sda3 lrwxrwxrwx root root 2016-05-27 08:53 HIDDEN -> /dev/block/sda17 lrwxrwxrwx root root 2016-05-27 08:53 OTA -> /dev/block/sda7 lrwxrwxrwx root root 2016-05-27 08:53 PARAM -> /dev/block/sda4 lrwxrwxrwx root root 2016-05-27 08:53 PERSDATA -> /dev/block/sda13 lrwxrwxrwx root root 2016-05-27 08:53 PERSISTENT -> /dev/block/sda11 lrwxrwxrwx root root 2016-05-27 08:53 RADIO -> /dev/block/sda8 lrwxrwxrwx root root 2016-05-27 08:53 RECOVERY -> /dev/block/sda6 lrwxrwxrwx root root 2016-05-27 08:53 SBFS -> /dev/block/sda14 lrwxrwxrwx root root 2016-05-27 08:53 STEADY -> /dev/block/sda12 lrwxrwxrwx root root 2016-05-27 08:53 SYSTEM -> /dev/block/sda15 lrwxrwxrwx root root 2016-05-27 08:53 TOMBSTONES -> /dev/block/sda9 lrwxrwxrwx root root 2016-05-27 08:53 USERDATA -> /dev/block/sda18 root@s6# cat partitions | grep -v sda major minor #blocks name 7 0 32768 loop0 8 16 4096 sdb # Boot loader 8 32 4096 sdc # CryptoManager 253 0 2097152 vnswap0

(C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! Reversing

• From Secure World: ( 安全世界) – If you can get TZ (or iBoot ☺) image, start at VBAR_EL3 – Find SMC/ handler (Synchronous) – Find IRQ/FIQ handlers

• From Non-Secure World: ( 非安全世界) – Get kernel or bootloader – disarm and look for SMC calls

(C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! disarm

# disarm will automatically find strings when used as arguments root@s6# JCOLOR= 1 disarm /dev/sdb 1 | less -R ... 0x0003fac4 0xd00002e0 ADRP X0, 94 ; X0 = 0x9d000 0x0003fac8 0x9112e000 ADD X0, X0, #1208 ; X0 = X0 + 0x4b8 = 0x9d4b8 0x0003facc 0x94001461 BL 0x44c50 ; = 0x44c50 (" This is a non -secure chip. Skip...") .. # So now we know 03 fac 4 is called on non -secure chip.. Search back using “? 0x3fac 4” # disarm will attempt to auto guess the arguments to SMC as well 0x0003f9f4 0x12801de0 MOVN X0, #239 0x0003f9f8 0x52800001 MOVZ W1, 0x0 0x0003f9fc 0x2a1403e2 MOV X2, X20 ; X2 = X20 (0xf7120) 0x0003fa00 0xa9bf7bfd STP X29, X30, [SP,#-16]! 0x0003fa04 0xd4000003 SMC #0 ; (X 0=0xffffffffffffff 10 , X 1=0x0, X 2=0xf 7120 ..) 0x0003fa08 0xa8c17bfd LDP X29, X30, [SP],#16 0x0003fa0c 0x3100041f CMN W0, #1 0x0003fa10 0x2a0003e2 MOV X2, X0 ; X2 = X0 (?) 0x0003fa14 0x54000580 B.EQ 0x3fac4 # can also grep SMC ... 0x0004f014 0xd4000003 SMC #0 ; (X0=0xc2001014, X1=0x0, X2=0x22..) 0x0004f044 0xd4000003 SMC #0 ; (X0=0xc2001014, X1=0x0, X2=0x21..) 0x0004f098 0xd4000003 SMC #0 ; (X0=0xc2001014, X1=0x0, X2=0x20..) 0x0004f0c8 0xd4000003 SMC #0 ; (X0=0xc2001014, X1=0x0, X2=0x1f..) ...

Simple but effective ARM64 disassembler ( http://NewAndroidBook.com/tools/disarm.html )

(C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! Trusty

• Google’s attempt to standardize TEE Oses – https://source.android.com/security/trusty/index.html

• Used by Nvidia (+ LK)

• Supplies: – gatekeeper, keymaster, NVRAM modules – Kernel driver – LK base – Trusty OS

• https://android-review.googlesource.com/#/admin/projects/?filter=trusty

(C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! Linux Kernel Support

• Generic Trustzone driver integrated into 3.10

• Qualcomm (msm) kernels have SCM driver – Secure Channel Manager – Creates a character device which qseecomd opens

• Driver issues SMC instructions, passes command buffers – Terrible buggy driver – Terrible buggy daemon – http://bits-please.blogspot.com/ - Step by step hack of QCOM TZ • Amazing exploit and explanation – Masterful hack, and a great read!

(C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! Android Vulnerabilities

(C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! References

• ARM TrustZone documentation: – http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0301h/Chdfjdgi.html

• *OS Internals (Vol. III) – Security & Insecurity of Apple’s OSes – The unplanned 300+pg tome that started with a single chapter.. – Available August 2016!

(C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source! (C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source!